Databricks keeps your personal information for as long as it needs it for business purposes, legal obligations, or to defend against claims, without specifying a fixed retention period for most data categories.
This analysis describes what Databricks's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Open-ended retention language means your data could be kept indefinitely for broad purposes including legal defense, which may conflict with data minimization principles under GDPR and similar frameworks.
Interpretive note: The practical retention period for specific data categories cannot be determined from the notice text alone, and the adequacy of this disclosure under GDPR Article 13 and 14 requires further assessment.
Your personal data may be retained by Databricks for an indefinite period tied to broad business and legal purposes, with no specific maximum retention period stated for most data categories, limiting your ability to predict when data will be deleted.
How other platforms handle this
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. The criteria used to determine our retention periods include: the length of ...
We may retain de-identified or aggregated information that can no longer be used to identify you for any period of time, including indefinitely.
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, or as otherwise permitted or required by applicable law.
Monitoring
Databricks has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes.— Excerpt from Databricks's Databricks Privacy Notice
REGULATORY LANDSCAPE: GDPR Article 5(1)(e) requires personal data to be kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which it is processed (storage limitation principle). The open-ended retention language in this provision creates potential tension with this principle, and EU supervisory authorities have taken enforcement action against organizations with excessively broad retention justifications. US state privacy laws generally do not impose explicit retention period requirements but do support deletion rights. GOVERNANCE EXPOSURE: Medium. The absence of specific retention periods for defined data categories is common in public-facing privacy notices but may not satisfy GDPR's requirement for specific retention information in privacy notices under Article 13 and 14. A records retention schedule with category-specific periods should exist internally. JURISDICTION FLAGS: EU/EEA organizations should assess whether Databricks' retention practices satisfy GDPR storage limitation requirements, particularly for personal data processed under legitimate interests. UK users have similar rights under UK GDPR. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers whose employee or contact data Databricks processes should request information about specific retention periods applicable to their data under the DPA, as the public notice's open-ended language may not provide adequate specificity for GDPR Article 28 compliance. COMPLIANCE CONSIDERATIONS: Legal teams should request Databricks' internal data retention schedule as part of vendor due diligence, and should assess whether the stated legal defense and fraud prevention justifications for extended retention are proportionate to the data categories involved.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Open-ended retention language means your data could be kept indefinitely for broad purposes including legal defense, which may conflict with data minimization principles under GDPR and similar frameworks.
Your personal data may be retained by Databricks for an indefinite period tied to broad business and legal purposes, with no specific maximum retention period stated for most data categories, limiting your ability to predict when data will be deleted.
ConductAtlas has identified this type of provision across 115 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Databricks.